[arrl-odv:21167] Potential Security Issues With Apple iOS... Details (long)
2 NOV 2012 - 1747 CDT To all ARRL Officers, Directors, and Vice Directors: Even though I am a heavy user of Information Technology, I have never been a user of Apple devices of any type. Therefore, it has taken more time than I planned to research the potential security issues with the Apple iOS digital QST application. This message consists of two parts; a brief discussion of the issues, followed with a series of questions that should be answered before any decision is made to publicly release and support the use of our Apple iOS digital QST application. Potential Security Issues With Apple iOS Digital QST Application 1. According to Harold Kramer, the Apple iOS QST App does send tracking information to somebody. It is assumed that this information is de-identified, only includes the current geographic location of the user, and is sent to Apple.Com, or an Apple contractor. Without a verified, detailed description (from Apple?) of all of this data, there is no way of making a proper judgement of the user's data security when using this application. 2. I understand the default setting of this "data tracking feature" is ON. It can be turned OFF, but the labeling and wording used to control this "feature" is not clearly understood. At the least, I suggest the default setting for this tracking process should be OFF with a warning displayed when the user chooses to activate it. 3. When the user stops using this QST App, it is still active and could continue to send data as long as the user's device is turned on. I think most iOS users do not know this is going on. 4. There is at least one Apple iOS hacking program available at http://www.iphonetracker101.com/iphone-tracking-app that can be used to view and record keystrokes and phone audio. I suspect there are also one or more Apple iOS hacking programs that enable the insertion of program (trojans) that will command the targeted Apple iOS device send specified data to anonymous third party(s) without the knowledge of the device user. Questions That Should Be Answered Before Releasing the Apple iOS Digital QST Application 1. Harold Kramer told me that Chris Imlay has vetted this contract, but I still don't know who is the contractor. Who is the contractor? What are we paying for this application? 2. What data is being collected? I can understand pages-read data that would be of used by ARRL staff to improve magazine content. The same goes for clicks on active links to track advertising response. But if things like the reader's current location, the reader's use of other applications, any financial or personal transactions by the reader, the reader's keystrokes, etc. are being sent out... the ARRL should not be receiving this information. We already have the user's ARRL membership and ham radio license data. What more do we need? 3. Is this application is sending data to third parties - without the user's knowledge or agreement? Depending on the data being sent, the ARRL could be held liable for damages. 4. Is there a clearly worded, easily accessed, option allowing the user to permanently stop this data collecting? I have probably missed some points and I welcome comments and suggestions on these issues. Here is one final question for my fellow directors. 5. Do you think the ARRL Board of Directors should formally approve this IT project? In view of our past IT problems, I believe we should vote on releasing and supporting this Apple iOS digital QST application. 73 - Dick Isely, W9GIG
When Vice Director Carlson brought this to my attention a short time ago, I asked Harold to look into 3 things: what is being tracked, by whom, and for what purpose. It is not hard to turn tracking off, but the questions should be answered all the same. It is also easy to turn off iOS applications that are not in current use, but I have no idea how many Apple device users actually do it. I do it regularly to save battery. I will let Harold speak for himself about what he has discovered. In any case, facts about the app must be fully disclosed to users, including how to disable tracking if tracking cannot be removed from the app altogether. We are taking heat from members who want an app for their devices, yesterday. But we need answers from Nxtbook/Apple. 73, Kay N3KN Sent from my iPhone On Nov 2, 2012, at 6:47 PM, dick@pobox.com wrote:
2 NOV 2012 - 1747 CDT
To all ARRL Officers, Directors, and Vice Directors:
Even though I am a heavy user of Information Technology, I have never been a user of Apple devices of any type. Therefore, it has taken more time than I planned to research the potential security issues with the Apple iOS digital QST application.
This message consists of two parts; a brief discussion of the issues, followed with a series of questions that should be answered before any decision is made to publicly release and support the use of our Apple iOS digital QST application.
Potential Security Issues With Apple iOS Digital QST Application
1. According to Harold Kramer, the Apple iOS QST App does send tracking information to somebody. It is assumed that this information is de-identified, only includes the current geographic location of the user, and is sent to Apple.Com, or an Apple contractor. Without a verified, detailed description (from Apple?) of all of this data, there is no way of making a proper judgement of the user's data security when using this application.
2. I understand the default setting of this "data tracking feature" is ON. It can be turned OFF, but the labeling and wording used to control this "feature" is not clearly understood. At the least, I suggest the default setting for this tracking process should be OFF with a warning displayed when the user chooses to activate it.
3. When the user stops using this QST App, it is still active and could continue to send data as long as the user's device is turned on. I think most iOS users do not know this is going on.
4. There is at least one Apple iOS hacking program available at http://www.iphonetracker101.com/iphone-tracking-app that can be used to view and record keystrokes and phone audio. I suspect there are also one or more Apple iOS hacking programs that enable the insertion of program (trojans) that will command the targeted Apple iOS device send specified data to anonymous third party(s) without the knowledge of the device user.
Questions That Should Be Answered Before Releasing the Apple iOS Digital QST Application
1. Harold Kramer told me that Chris Imlay has vetted this contract, but I still don't know who is the contractor. Who is the contractor? What are we paying for this application?
2. What data is being collected? I can understand pages-read data that would be of used by ARRL staff to improve magazine content. The same goes for clicks on active links to track advertising response.
But if things like the reader's current location, the reader's use of other applications, any financial or personal transactions by the reader, the reader's keystrokes, etc. are being sent out... the ARRL should not be receiving this information. We already have the user's ARRL membership and ham radio license data. What more do we need?
3. Is this application is sending data to third parties - without the user's knowledge or agreement? Depending on the data being sent, the ARRL could be held liable for damages.
4. Is there a clearly worded, easily accessed, option allowing the user to permanently stop this data collecting?
I have probably missed some points and I welcome comments and suggestions on these issues. Here is one final question for my fellow directors.
5. Do you think the ARRL Board of Directors should formally approve this IT project? In view of our past IT problems, I believe we should vote on releasing and supporting this Apple iOS digital QST application.
73 - Dick Isely, W9GIG
_______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org http://reflector.arrl.org/mailman/listinfo/arrl-odv
I agree that Nxtbook should clarify the information which Harold requested in [arrl-odv:21157]. If Nxtbook verifies that there is no personally identifiable information tracked and that the information is standard web analytics such as pages visited, then I am comfortable with going forward with the iOS Digital QST app. This feature is in great demand among members. The app will allow iPad/iPhone users to save the QST to their devices so that it can be read when not connected to the Internet. Reading the digital QST on a tablet such as the iPad is much more popular than reading it on a computer screen! I agree that the tracking feature and the ability to disable it needs to be clearly explained to users. Members are entitled to know what, if any, information is obtained, and to be reassured that no personally identifiable information is tracked. Members should also be given specific instructions on how to disable tracking in the iOS Settings by going to Settings/ QST/ and setting "Disable Tracking" to ON. (or whatever wording staff thinks is the the most clear instructions). The original contract with Nxtbook included the specific Nxtbook charges for the iPad/iPhone app (Exhibit A). As I recall it was $1500 one-time setup, and $100 per issue. Harold can give you the specific details. This contract was approved by the A&F committee under the authority delegated by the Board. The minutes of the April 14, 2012 A&F meeting included an update at minute 15, in the COO's Operating Report, that applications for the iPhone and iPad were expected by the October issue. The digital QST app has been beta tested and works great. When the privacy concerns are resolved, I think we should promptly release it. I see no need for further Board action. Cliff K0CA From: arrl-odv-bounces@reflector.arrl.org [mailto:arrl-odv-bounces@reflector.arrl.org] On Behalf Of dick@pobox.com Sent: Friday, November 02, 2012 5:47 PM To: arrl-odv@arrl.org Subject: [arrl-odv:21167] Potential Security Issues With Apple iOS... Details (long) Importance: High 2 NOV 2012 - 1747 CDT To all ARRL Officers, Directors, and Vice Directors: Even though I am a heavy user of Information Technology, I have never been a user of Apple devices of any type. Therefore, it has taken more time than I planned to research the potential security issues with the Apple iOS digital QST application. This message consists of two parts; a brief discussion of the issues, followed with a series of questions that should be answered before any decision is made to publicly release and support the use of our Apple iOS digital QST application. Potential Security Issues With Apple iOS Digital QST Application 1. According to Harold Kramer, the Apple iOS QST App does send tracking information to somebody. It is assumed that this information is de-identified, only includes the current geographic location of the user, and is sent to Apple.Com, or an Apple contractor. Without a verified, detailed description (from Apple?) of all of this data, there is no way of making a proper judgement of the user's data security when using this application. 2. I understand the default setting of this "data tracking feature" is ON. It can be turned OFF, but the labeling and wording used to control this "feature" is not clearly understood. At the least, I suggest the default setting for this tracking process should be OFF with a warning displayed when the user chooses to activate it. 3. When the user stops using this QST App, it is still active and could continue to send data as long as the user's device is turned on. I think most iOS users do not know this is going on. 4. There is at least one Apple iOS hacking program available at http://www.iphonetracker101.com/iphone-tracking-app <http://www.iphonetracker101.com/iphone-tracking-app%A0> that can be used to view and record keystrokes and phone audio. I suspect there are also one or more Apple iOS hacking programs that enable the insertion of program (trojans) that will command the targeted Apple iOS device send specified data to anonymous third party(s) without the knowledge of the device user. Questions That Should Be Answered Before Releasing the Apple iOS Digital QST Application 1. Harold Kramer told me that Chris Imlay has vetted this contract, but I still don't know who is the contractor. Who is the contractor? What are we paying for this application? 2. What data is being collected? I can understand pages-read data that would be of used by ARRL staff to improve magazine content. The same goes for clicks on active links to track advertising response. But if things like the reader's current location, the reader's use of other applications, any financial or personal transactions by the reader, the reader's keystrokes, etc. are being sent out... the ARRL should not be receiving this information. We already have the user's ARRL membership and ham radio license data. What more do we need? 3. Is this application is sending data to third parties - without the user's knowledge or agreement? Depending on the data being sent, the ARRL could be held liable for damages. 4. Is there a clearly worded, easily accessed, option allowing the user to permanently stop this data collecting? I have probably missed some points and I welcome comments and suggestions on these issues. Here is one final question for my fellow directors. 5. Do you think the ARRL Board of Directors should formally approve this IT project? In view of our past IT problems, I believe we should vote on releasing and supporting this Apple iOS digital QST application. 73 - Dick Isely, W9GIG
participants (3)
-
Cliff Ahrens -
dick@pobox.com -
Kay Craigie